Legislation and Regulations

Millions of Americans who were able to obtain health insurance as a result of the Patient Protection and Affordable Care Act (“ACA” or “Obamacare”) are waiting to learn the extent to which Congress and the new administration will repeal, replace, or do something else with the ACA. At the same time, Government contracts lawyers are watching a group of ACA-related lawsuits being litigated at the Court of Federal Claims and the Federal Circuit. The cases involve “risk corridors,” which the ACA implemented to entice insurers to enter healthcare exchanges by reducing downside risk if, among other possibilities, enrollment did not meet projections. After the ACA was implemented (and control of the Legislative branch had shifted), Congress effectively defunded the ACA’s risk corridors (i.e., reduced necessary appropriations), leaving the Department of Health and Human Services (“HHS”) without sufficient funds to pay participating insurers. So far, approximately 20 of those companies have sued and are pursuing damages claims based on the Government’s failure to make promised payments.

Last November, the Court of Federal Claims issued its first merits ruling in one of the ACA risk corridor cases, Land of Lincoln Mutual Health Insurance v. U.S. Judge Lettow’s opinion in that case rejected the plaintiff’s claims based on “statutory entitlement,” breach of contract, and Fifth Amendment taking theories. A decision in a second case, Moda Health Plan v. U.S., was issued late last week by Judge Wheeler—who ruled in that plaintiff’s favor. In Moda Health, the court held that the relevant ACA provision “requires full annual payments to insurers” and, alternatively, that the Government’s non-payment constituted a breach of the implied-in-fact contract with the insurer.

How the current administration and Congress will change ACA—and the American healthcare system—is anybody’s guess. The ACA-related cases before the Court of Federal Claims are not getting the same amount of press as potential changes to the healthcare reform law, but they address important legal and financial consequences of the long-running policy dispute over the ACA. The cases raise complex legal issues that should be of substantial interest to Government contracts lawyers and practitioners before the Court of Federal Claims and the Federal Circuit.
Continue Reading What and How Obamacare Is Doing at the Court of Federal Claims

On October 24, 2016, a federal district court in Texas issued a preliminary injunction in a case called Associated Builders & Contractors, et al. v. Rung, in which it halted implementation of the most controversial aspects of the newly-minted “Fair Pay and Safe Workplaces” FAR rule and the corresponding Department of Labor guidance, including the disclosure provision and the restriction on arbitration agreements. This post discusses the district court decision, which represents a sweeping repudiation of the most significant provisions of the controversial Fair Pay and Safe Workplaces rule and guidance. Mayer Brown previously published a Legal Update explaining the new rule and the Department of Labor guidance in far greater detail. Continue Reading Federal Court Repudiates the Most Significant Provisions of the New DOL Rules

On August 25, 2016, DoD, GSA, and NASA issued a final rule amending the FAR to implement President Obama’s Executive Order on “Fair Pay and Safe Workplaces” (“E.O.”) The Department of Labor (“DOL”) also issued final guidance to assist in the implementation of the E.O. The new FAR rule follows a proposed FAR rule that generated substantial comments. The final rule and guidance represent significant new obligations and risks for contractors and subcontractors, who should start preparing now to address them. This post focuses on the final FAR rule because it imposes specific requirements on contractors and subcontractors. Notably, this post provides only a high-level summary because the new rule, related commentary published in the Federal Register, and DOL’s guidance are lengthy and sometimes complex documents. Mayer Brown also published a Legal Update that discusses these developments in greater detail. Continue Reading Substantial New Rules Implementing “Fair Pay and Safe Workplaces” Executive Order Create Risks for Contractors and Subcontractors

On June 21, 2016, DoD published a notice in the Federal Register indicating that an advisory committee is seeking information to facilitate its review of 10 U.S.C. §§ 2320 and 2321 regarding rights in technical data and the validation of proprietary data restrictions. This is an excellent opportunity for contractors, Government contracts counsel, and others to provide input into rules that play an important role in DoD procurements involving rights in technical data. The notice requires submission of written comments in the very near future—on or before July 21, 2016. The Panel must submit its final report and recommendations to the Secretary of Defense no later than September 30, 2016. Continue Reading DoD Advisory Committee Seeks Comments on Broad Range of Issues Concerning Rights in Technical Data

Back in August 2015, DoD issued an interim rule, which was effective immediately (and was previously discussed on this blog), imposing substantial new requirements on government contractors with respect to reporting information system network penetrations—and providing new cloud computing requirements. Six weeks later, DoD issued a class deviation giving contractors more time to comply with one of the technical requirements being applied by the new DFARS clauses included with the new rule. Last week, DoD again revised the rule to give contractors more time to comply with many of the new technical standards. Specifically, the revised DFARS provision makes clear that contractors have until December 31, 2017 to comply with the technical standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171.

NIST 800-171 describes a series of procedures for “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” These NIST requirements cover a wide array of security issues applicable to contractors’ information systems and are intended to ensure the security of government information that is provided to contractors so that the companies can provide goods and services to DoD.

Initially, DoD made the NIST 800-171 requirements immediately applicable to the large number of businesses that either have a “covered contractor information system” or have “covered defense information transiting their information systems” as part of their contract performance. DoD’s class deviation in October relaxed the standard slightly by amending the DFARS clauses to allow contractors up to nine months (from the date of a new contract award) to comply with section 3.5.3 of NIST 800-171. That section mandates “multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” (Multifactor authentication requires two or more types of information, e.g., a password and a cryptographic device such as a token, to gain access to the government information.)

Many contractors were unhappy with the unrealistic implementation schedule imposed by the initial (and revised) DFARS provision, and they made their concerns clear to DoD in comments and during a December 14 meeting conducted by the Department to obtain additional feedback. Contractors expressed the need for additional time to analyze the scope of changes that were necessary for their systems—and to implement those changes.

To its credit, DoD modified the DFARS clauses to “provide offerors [contractors] additional time to implement the security requirements specified by NIST 800-171.” Each contractors will now be required to agree, by submitting an offer for a DoD procurement in which DoD information will be provided to contractors, that all of the contractor’s systems will be compliant with NIST 800-171 “not later than December 31, 2017.” Notably, the same requirements must be flowed down in all “subcontracts, or similar contractual instruments, for services that include support for” the goods or services being provided under a contract to which the DFARS clauses apply.

Although the additional time to achieve compliance with NIST 800-171’s requirements is helpful, the new DFARS clauses also impose an additional requirement that must be understood by contractors. “The second interim rule requires contractors, within 30 days of contract award, to notify the DoD Chief Information Officer of any NIST SP 800-171 security requirements that are not implemented at the time of contract award.” Accordingly, contractors will need to track where they are on the path to compliance with 800-171’s requirements so that accurate reports identifying gaps can be provided to the DoD each time contract performance begins under a new award.

A few days ago, on August 26, DoD issued new interim rules amending the Defense Federal Acquisition Regulations (DFARS) with respect to “network penetration reporting and contracting for cloud services.” The new rules, which are now effective, revise several broadly applicable definitions applicable to numerous parts of the DFARS, expand the incident reporting requirements applicable to contractors, and impose security requirements applicable to cloud computing. DoD contractors need to understand these important new rules, which are summarized here, so that they can perform necessary compliance planning and make any necessary disclosures. Continue Reading New Interim Cyber Rules Expand Obligations of DoD Contractors

iStock_000016952672LargeYesterday, the FAR Council issued an interim regulation addressing inverted corporations involved in government contracting. This interim regulation goes into effect immediately, and companies with inverted corporate structures—or those considering a restructuring—need to understand this development. Continue Reading FAR Council Issues Interim Rule Regarding the Prohibition on Certain Corporate Inversions

iStock_000023483293LargeRecently, GAO denied a protest in which the contractor asserted that the solicitation contained an overly restrictive data rights clause and should have used an alternate clause. Gallup, Inc. provides a useful reminder that contracts may give the Government extensive rights over a contractor’s data and software–and, in many cases, contractors must either accept the data rights provision or opt out of the procurement. Contractors should be familiar with the relevant FAR provisions and the possible allocations of rights—or risk losing valuable rights in intellectual property.   Continue Reading Contractors Are Left with Little Recourse when it Comes to Data Rights

A proposed rule issued June 10 would extend pervasive requirements for reporting counterfeit,  suspect, and nonconforming items to all contractors, as well as their subcontractors and suppliers doing business with any U.S. Government department or agency. Unlike the earlier counterfeit electronic parts interim rule issued by the DoD on May 6, 2014, the new proposed rule (also issued pursuant to section 818 of the FY 2012 NDAA) applies Government-wide and is not limited to electronic parts, but rather applies to counterfeit, suspect, and non-conforming items of all types. In addition, the requirements must be flowed down to subcontractors and suppliers at every tier of the supply chain. (The discussion below assumes that flow down.)

The proposed rule assumes that the contractor has an inspection system or quality program that is sufficient to avoid and detect the delivery to, or the use by or for, the Government of items that are “counterfeit,” “suspect,” or contain a “critical” or “major” nonconformance. It imposes two requirements on contractors. First, the rule requires that a contractor screen the Government Industry Data Exchange Program (GIDEP) reports to avoid delivery to or use by/for the Government. Second, it requires that contractors report to GIDEP and to the Government’s Contracting Officer (CO) when the contractor becomes aware of a counterfeit, suspect, or non-conforming item. Reports to the CO must be submitted in writing within 30 days of the contractor becoming aware of a counterfeit or suspect item. Items reported to the CO must be retained until the CO directs disposition. The contractor also must report to GIDEP within 60 days of becoming aware of:

(i)  a counterfeit or suspect item; or

(ii) an item that contains a major or critical nonconformance that is also a “common” item and constitutes a “quality escape” that results in the release of such items to more than one customer.

The proposed rule is intended to build on the contractor inspection systems already required by the FAR. But contractors’ existing systems are likely to require enhancement due to the new definitions and requirements to be imposed by the rule.

The rule says nothing about reporting in connection with the Mandatory Disclosure Rule, which requires a report to the CO and the agency Inspector General if the contractor has “credible evidence” of a false claim.

Even more than the DoD rule, this proposal will impose onerous compliance requirements and potential liabilities on commercial entities throughout the economy who do not view themselves as Government suppliers—and indeed, may not be aware that their products have ended up in a Government contractor’s supply chain. Failure to comply with the new rule potentially would expose such entities to substantial risks for costs, penalties and damages.

Pursuant to a legislative mandate, the US Department of Defense (DoD) has issued an expansive rule (the Rule) aimed at protecting DoD systems of all types from “counterfeit” and “suspect” electronic parts (all references to “parts” in the following discussion are to electronic parts). The Rule, issued in final form on May 6, 2014, applies to DoD prime contractors and is required to flow down to all subcontractors and suppliers throughout the supply chain.

The Rule is one of four that are being developed to implement Section 818 of the 2012 National Defense Authorization Act. The Rule requires prime contractors to create and maintain acceptable systems and internal control procedures to detect and avoid counterfeit parts. These systems and procedures are also required to flow down to subcontractors and suppliers at all tiers that have any role in the buying or selling of electronic parts, assemblies containing such parts or in testing of parts. Prime contractors that fail to provide and maintain acceptable systems are at risk for substantial losses—such as withholding of contract payments, disallowance for costs of the counterfeit part and the costs of rework or corrective measures—as well as potential fraud claims.

The Rule applies to counterfeit electronic parts and suspect counterfeit electronic parts. A “suspect” part is defined as one for which “credible evidence (including visual inspection)” provides “reasonable doubt” that the part is authentic. A contractor’s system is required to include “risk-based policies and procedures” that address 12 areas. The Rule does not provide the risk-based polices and procedures, but leaves it to the contractor to determine risk and how to address it with appropriate systems. The practical effect is to confer substantial discretion on Government contracting personnel and auditors who review these systems to make judgments about their effectiveness and compliance. The areas to be covered by a contractors systems and, thus, flowed down for coverage by subcontractor/supplier systems include:

  • Inspection and testing, which must be performed in accordance with “accepted Government- and industry-recognized techniques” selected by the contractor to minimize risk to the Government. DoD recognizes that it is impossible to test every part. Risk components include: (i) the risk of receiving a counterfeit part, (ii) the probability that it will be detected and (iii) the potential negative consequences of a counterfeit being installed (e.g., safety and mission success).
  • Processes to abolish counterfeit parts proliferation.
  • Processes for maintaining electronic part traceability. The processes are to enable tracing the supply chain back to the original manufacturer (whether the part is discrete or contained in an assembly). Traceability “shall” include certification, documentation, clear identification of the intermediaries from the manufacturer to the direct source of the product for the seller and, if possible, the manufacturers’ batch identification. Item Unique Identification IUID marking is not required, but is permitted. DoD states that with regard to mission-critical electronic parts and parts that could impact human safety it has a “zero-tolerance policy.”
  • Use of suppliers that are the original manufacturer (OEM), or sources with express written authority of the OEM. For many defense systems, obsolete parts are an issue as the defense platform life exceeds the electronic part life. For parts that are not available from the preferred sources, contractors and subcontractors must develop detection and avoidance system criteria for other suppliers that comport with the Rule. DoD states that it views obsolescence control as a contractor responsibility.
  • Processes for reporting and quarantining of counterfeit and suspect counterfeit parts. Reports must be made to the Government Contracting Officer and to the Government-Industry Data Exchange Program (GIDEP) whenever the contractor or subcontractor “becomes aware of or has reason to suspect that” a part purchased by or for the DoD contains a counterfeit or suspect part. Further, such parts “shall not” be returned (unless determined to be authentic).
  • Procedures for “rapidly” determining if a part is counterfeit.
  • Screening processes for GIDEP reports and processes for “keeping continually informed” about trends, including detection and avoidance techniques.
  • Control of obsolete parts to maximize the availability and use of “authentic,” originally designed and qualified parts throughout the product’s life.

One of the additional rulemakings that is underway will address expansion of reporting requirements. While not yet clear, at least currently there is no guidance regarding how the Rule is to interact with the current Mandatory Disclosure provisions of the Federal Acquisition Regulation (FAR), which require contractors to self report if they have, among other things, “credible evidence” of a civil False Claims Act violation. The Rule’s commentary suggests that counterfeit part reporting should not be within the ambit of the Mandatory Disclosure requirements, but guidance is not provided.

The Rule has the potential to expose contractors and subcontractors to new compliance investigations, as well as new false claims actions. For commercial suppliers, these risks are new and the Rule is likely to require enhanced internal controls and compliance programs.